Cortana Hack Lets You Change Passwords on Locked PCs

Cortana Hack Lets You Change Passwords on Locked PCs

Microsoft has patched a vulnerability in the Cortana smart assistant that could have allowed an attacker with access to a locked computer to use the smart assistant and access data on the device, execute malicious code, or even change the PC’s password to access the device in its entirety.

The issue was discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee. Cochin privately reported the problems he discovered to Microsoft in April.

The vulnerability is CVE-2018-8140, which Microsoft classified as an elevation of privilege, and patched yesterday during the company’s monthly Patch Tuesday security updates.

Cochin says the issue was present because of different quirks in how Cortana allows users to interact with the underlying Windows 10 OS, while in a locked state.

The researchers discovered several features that could be combined into one larger attack:

? Users can start typing after they say “Hey Cortana” and issue a voice command. This brings up a special search popup with various features and capabilities.

? Users can type text in this popup, which searches the laptop’s application index and its filesystem. By typing certain words, like “pas” (as in password), this search can bring up files containing this string in their file paths or inside the file itself. Hovering the mouse over one of these search results can reveal the file’s location on disk, or the content of the file itself (big issue if the disclosed detail is a password).

? Users can access the right-click menu after using the same trick of starting to type after triggering Cortana. These menus include various sensitive options, such as “Open file location,” “Copy full path,” “Run as Administrator,” or, the more dangerous one, “Run with PowerShell.”

? Using the same trick of starting to type after issuing a Cortana voice command, attackers can execute files or run PowerShell commands.

Combining all these issues into one attack, Cochin says that a hacker with access to a locked computer can carry out the following attack:

? The attacker connects a USB stick containing a malicious PowerShell script. Windows will alert the user of this new drive by displaying the USB drive letter as a small notification in the lower bottom area of the screen. This lets the attacker known the exact file path of his malicious script.
? The attacker issues a Cortana voice command but starts typing on the keyboard to interrupt the voice command execution. This brings up a special Cortana search popup.
? Attacker runs a PowerShell command with CLI arguments to run the malicious PowerShell script found on the USB drive.
? The malicious PowerShell script executes, despite the computer being locked. The attacker can use PowerShell to reset the password, disable security software, run chained commands, or any other thing he wants.

Cochin published fine-grained details about how CVE-2018-8140 affects recent versions of Windows 10, along with the below video, showing how he hijacked a PC by changing a locked account’s password using Cortana.

Users are advised to either update to the latest version of Windows, or disable Cortana on the lock screen.